CVE-2023-41266

CVE-2023-41266 is a high-severity vulnerability in Qlik Qlik Sense with a CVSS 3.x base score of 8.2. It is listed in CISA's Known Exploited Vulnerabilities (KEV) catalog, confirming it has been exploited in the wild (added 2023-12-07). The underlying weakness is classified as CWE-22.

Key facts

Description

A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

CVE-2023-41266: Path Traversal in Qlik Sense Enterprise for Windows Enables Unauthenticated Session Generation and Unauthorized Endpoint Access

AI-generated analysis based on the vulnerability data on this page.

Field Value
CVE CVE-2023-41266
Vendor Qlik
Product Qlik Sense Enterprise for Windows
CVSS v3 8.2 (HIGH)
Vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE CWE-22 — Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal")
EPSS 0.84966 (99.68th percentile)
KEV Yes — added 2023-12-07
EU Exploited Yes — since 2023-12-07

Summary

A path traversal vulnerability in Qlik Sense Enterprise for Windows allows an unauthenticated remote attacker to generate an anonymous session and transmit HTTP requests to unauthorized endpoints. This flaw has been actively exploited in the wild and carries a CVSS v3 score of 8.2, reflecting high confidentiality impact and low integrity impact.

Background

Qlik Sense Enterprise for Windows is a widely deployed analytics and business intelligence platform used by organizations to create, share, and consume data visualizations. The product exposes multiple HTTP endpoints for authentication, session management, and API interactions. Under normal operation, unauthenticated users should be restricted to a limited set of public-facing endpoints. The vulnerability described in this advisory allows attackers to bypass these restrictions by exploiting insufficient path traversal controls within the application's request handling logic.

Root Cause

The vulnerability is classified as CWE-22: Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal").

The root cause lies in the application's failure to properly sanitize or normalize user-controllable input that is used to construct file system paths or route internal requests. By injecting traversal sequences (e.g., ..%2F), an attacker can navigate outside the intended directory or endpoint boundary. In this specific case, the traversal enables the attacker to reach an endpoint or resource that generates an anonymous session token, effectively granting the attacker an authenticated context without providing valid credentials. This session can then be used to access additional internal endpoints that would otherwise be protected.

Impact

The CVSS v3 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N quantifies the impact as follows:

  • Attack Vector (AV): Network — exploitable remotely over the internet without any local network access.
  • Attack Complexity (AC): Low — no special conditions or bypasses are required.
  • Privileges Required (PR): None — fully unauthenticated.
  • User Interaction (UI): None — no user action is needed.
  • Scope (S): Unchanged — the vulnerable component is the only one affected.
  • Confidentiality (C): High — unauthorized access to sensitive data and internal endpoints is possible.
  • Integrity (I): Low — limited ability to modify data within the affected component.
  • Availability (A): None — no direct impact on system availability is expected.

The practical impact is severe: an unauthenticated attacker can gain unauthorized access to internal API endpoints, retrieve sensitive configuration or data, and potentially perform limited unauthorized actions within the Qlik Sense environment. The absence of an availability impact does not diminish the severity of unauthorized data access.

Exploitation Walkthrough (Defensive Perspective)

Ethics caveat: This section describes the attack flow at a high level for defensive and detection purposes only. No weaponized exploit code or step-by-step attack instructions are provided.

  1. Reconnaissance: The attacker identifies a publicly accessible Qlik Sense Enterprise for Windows instance, typically via internet-wide scanning or known organizational deployments.
  2. Path Traversal Injection: The attacker sends a crafted HTTP request containing directory traversal sequences in a path or query parameter that the application uses to resolve internal resources or endpoints.
  3. Anonymous Session Generation: The traversal bypasses the intended access boundary and reaches a session-generation endpoint. The application responds with an anonymous session token or cookie, effectively authenticating the attacker as a low-privilege user.
  4. Unauthorized Endpoint Access: Using the generated session, the attacker issues subsequent HTTP requests to internal endpoints that should require authentication. This may include data retrieval, configuration exposure, or other restricted functionality.

Defenders should focus on detecting anomalous path patterns (e.g., sequences containing ..%2F, %2e%2e%2f, or similar encoded variants) in HTTP requests to Qlik Sense endpoints, especially when followed by successful session establishment and subsequent requests to internal APIs.

Affected and Patched Versions

Affected versions (Qlik Sense Enterprise for Windows):

  • May 2023 Patch 3 and earlier
  • February 2023 Patch 7 and earlier
  • November 2022 Patch 10 and earlier
  • August 2022 Patch 12 and earlier

Patched versions:

  • August 2023 IR
  • May 2023 Patch 4
  • February 2023 Patch 8
  • November 2022 Patch 11
  • August 2022 Patch 13

Organizations running any of the affected versions should treat this as a critical patching priority given the active exploitation status.

Remediation

Primary remediation:
Upgrade to the latest patched version as listed above. Qlik has released patches for all supported track lines. Ensure the patch level matches or exceeds the fixed versions before exposing the instance to untrusted networks.

Compensating controls (if immediate patching is not possible):

  • Network segmentation: Restrict access to Qlik Sense Enterprise instances to authorized internal networks or VPN-only access. Do not expose the application directly to the internet unless absolutely necessary.
  • Web Application Firewall (WAF): Deploy a WAF rule set that blocks path traversal sequences in HTTP request paths and query parameters. Ensure the rules cover both raw (..%2F) and encoded variants (%2e%2e%2f, %252e%252e%252f, etc.).
  • Reverse proxy with URL filtering: Place a hardened reverse proxy in front of the Qlik Sense instance and explicitly deny requests containing traversal patterns.
  • Session monitoring: Alert on the creation of anonymous sessions from unexpected source IPs or geolocations.
  • Incident response readiness: Given active exploitation, verify that your incident response team has the capability to investigate unauthorized access to Qlik Sense environments and to identify potential data exfiltration.

Detection

  • Proxy/WAF logs: Search for HTTP requests containing ..%2F, %2e%2e%2f, or similar traversal sequences targeting Qlik Sense endpoints, followed by HTTP 200 responses containing session cookies or tokens.
  • Authentication logs: Monitor for anonymous session creation events that are immediately followed by requests to internal endpoints typically requiring authentication.
  • Endpoint telemetry: On the Qlik Sense server, monitor for unusual file system access patterns or process activity initiated by the web application service account.
  • Network traffic analysis: Look for outbound data transfers from the Qlik Sense server to unexpected destinations after anomalous inbound HTTP requests.

Assessment

CVE-2023-41266 is a high-severity, actively exploited path traversal vulnerability with an EPSS score of 0.84966 (99.68th percentile), indicating a very high probability of exploitation in the wild. Its inclusion in the CISA Known Exploited Vulnerabilities (KEV) catalog on 2023-12-07 and the EU Exploited Vulnerabilities Database confirms that threat actors are leveraging this flaw in real-world attacks.

Key lessons:

  1. Path traversal remains a critical class: Even modern enterprise applications can fall to classic directory traversal when input validation and path normalization are insufficient. Security reviews should always include path-handling logic.
  2. Unauthenticated access to session endpoints is a high-risk design: Any endpoint capable of generating an authenticated session without proper credentials is an attractive target. Such endpoints must be hardened with additional validation and rate limiting.

Organizations should prioritize patching and assume that unpatched internet-facing instances may already be compromised.

References

Frequently asked questions

What is CVE-2023-41266?
A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
How severe is CVE-2023-41266?
CVE-2023-41266 has a CVSS 3.x base score of 8.2, rated high severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity low, and availability none.
Is CVE-2023-41266 being actively exploited?
Yes. CVE-2023-41266 is on CISA's Known Exploited Vulnerabilities (KEV) catalog, added on 2023-12-07, which means active exploitation has been confirmed. It should be prioritised for remediation.
What products are affected by CVE-2023-41266?
CVE-2023-41266 primarily affects Qlik Qlik Sense. In total, 36 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2023-41266?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Because this CVE is known to be actively exploited, treat remediation as urgent — CISA KEV typically sets a short remediation deadline.
Does CVE-2023-41266 have an EU (EUVD) identifier?
Yes. CVE-2023-41266 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2023-45783. It is also flagged as exploited in the EUVD (since 2023-12-07).
When was CVE-2023-41266 published?
CVE-2023-41266 was published on 2023-08-29 and last updated on 2026-06-17.

References

Affected products (36)

More vulnerabilities in Qlik Qlik Sense

All CVEs affecting Qlik Qlik Sense →

Other CWE-22 (Path Traversal) vulnerabilities

Browse all CWE-22 (Path Traversal) vulnerabilities →